Azure AD Connect: Error 8344 Permission Issue Insufficient Access Rights to Perform the Operation

If your sync service completed with error and the error code is shown below;

Error 8344: Permission Issue Insufficient Access Rights to Perform the Operation

It means that the service account that you used to add the domain during the wizard setup does not have the correct/necessary permissions.

In the wizard, is this part

Capture

Capture

Note:

Please do take note that this is only for Password Synchronization and Password Writeback, for further extend permission please review the references below.

Step by step;

  1. Provide the necessary permission to the service account
    • Add the service account into the Administrators Group (Built-in OU)
    • At the forest level > Properties > Security > Add > service account
      • Next, select the service account, scroll to the permission and check “Replicate Directory Changes All” and “Replicate Directory Change
      • Due to password writeback will be turn on too, another permission you have to give to this service account is the “Change Password” and “Reset Password” under the Advanced
        • Select the service account > Advanced > Select Add > Select Principal > Service account > Descendent User Objects > Check the box for “Change Password” and “Reset Password”
    • Save your changes
    • Refresh
  2. Head to your AADC server and rerun the synchronization
  3. Check the Sync status whether it is completed without error
  4. The End

 

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
  2. https://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-1/

 

Appendix:

  1. ADUC – Active Directory Users and Computers
  2. ADS – Active Directory Sync
  3. OU – Organization Unit
  4. AADC – Azure Active Directory Connect

What to take note when establishing trust between Domain Controllers?

Prerequisites to establish trust;

  1. Cannot be a Read-Only Domain Controller
  2. Both source and target domain controllers has to hold the PDC role to establish the trust.
    • Make sure you transfer the fsmo
  3. Both domain controllers must be able to ping each other
    • At target domain controller, Ping <source domain DNS>
    • Ping domain controller IP addresses
  4. Firewall are disable at both domain controllers
  5. Able to Nslookup each other domains

You will fail with an error if the prerequisites are not met;

“The secure channel verification on Active Directory Domain Controller <DC name> of domain <source domain> to <target domain> failed with error: The specified domain either does not exist or could not be contacted.”

 

Format not working. How to reformat USB to its original size?

The format from here doesn’t help to reformat the USB to its original size.

What I mean is this format here: File Explorer > Right click on the USB > Format

Capture

you will see that the format size allow is 32GB only, but your USB  is more than that.

The resolution to this is that you use Disk Management to reformat your USB.

  1. Open Disk Management
  2. You will notice that your USB’s volume has partial that is “Unallocated” and partial is “Used”
  3. Right click on the USB > Delete the Volume
    • Capture
  4. Then the Volume status will become “Unallocated”
  5. Right click on the USB > Select New Volume > Setup the new volume of your USB
  6. The End

Troubleshoot Virtual machines status off-critical problem in Hyper-V

In this case, it was my lab environment, I have an external SSD which is purely just for my lab. I faced this problem is because my laptop reads the external SSD and apply that drive with a different disk letter.

So at first all my virtual Hard Disk are located in disk letter E, this is their original location.

I have multiple USB and external drives so the laptop tends to have a cache of previous used drive. I recently created a bootable USB for another product and when I try to plug in my lab’s external drive, my laptop apply the driver letter as G, I didn’t notice it until I launch my Hyper-V console, the status of my virtual machines are still showing “Off-critical” for quite a long period, refresh also didn’t work. Thus, this causes unable to boot up my virtual machines.

Capture

After some thoughts, I connect one of the virtual machine and see the location/directory of my virtual hard disk and it is pointing to the driver letter E, next I go ahead and launch the file explorer and there my external drive is no longer listed as letter E instead of the letter G.

To resolve this, I launch the “Disk management” console, and change the letter of my external drive from G to E. Head back to my Hyper-V console, my virtual machines are able to boot up and the status “Off-critical” is no longer showing.

Note:

  • Do take note that it requires a requires a reboot of your laptop if you were trying to mimic/simulate this issue.

Capture

There are other reasons that you could face this issue, it could be corrupted drive, or drive is disconnected.

 

Difference of Hyper-V in Legacy Server and Non-Legacy Server (Backup)

To those that wants to perform Live backup or export (to a local drive or external drive) of your virtual machines via Hyper-V, before you jump into that there are few things that you need to take concern of;

  1. Where is your virtual machines located on what server operating system?
  2. Does the server support live backup or export?

What is live backup or export?

  • A live backup or export is where you could run your backup without having to shut down the virtual machines. This require minimal to zero impact or downtime.

 

If your virtual machines are hosted on a legacy server, such as Windows Server 2012 below, you are require to shut down the virtual machines and perform the backup or export. If the virtual machine is not shut down the export button will not be shown to you to perform the backup. However, please do take note that if you were to migrate virtual machines from legacy server to non-legacy server, is best to not use the export feature in the legacy server, please refer the reference below for full explanation and proper way to migrate.

 

If your virtual machines are hosted on a non-legacy server, such as Windows server 2012 and above, then you can perform live backup or export without the need to experiences total downtime. As technology getting more advance this is the benefit to IT admins to perform their tasks without the need to perform after hours, and end users will not experience total downtime.

 

Do also read up and understand when to use checkpoints and when not to use checkpoints. Is basically means snapshots.

 

References:

  1. https://sabrinaksy.wordpress.com/2020/02/20/how-to-migrate-or-import-vm-from-windows-server-2008-r2-to-windows-server-2012-r2/
  2. https://www.petri.com/live-exporting-windows-server-2012-r2-hyper-v-vms
  3. https://blog.workinghardinit.work/2016/06/16/live-export-a-running-virtual-machine-or-a-checkpoint/

 

Ways to Setup a Lab Environment

Hey guys! I just upload a video on “Ways to setup a Lab environment”. Is a video about my experiences with types of lab environment setup, and what are my feedback for each of them and recommendation for you guys that suits your situation.

Hope you guys enjoy the video, sorry that I sound a bit sick, is actually just cold during at night. hahaha nothing serious just chillax bro. Is been awhile that I haven’t done videos, because was occupied with work.

Here is the link to the video;

Ways to Setup a Lab environment

Hope you guys find it informative.

How to Migrate or Import VM from Windows Server 2008 R2 to Windows Server 2012 R2?

This is my first time doing VM migration or import/export of VM from server 2008 R2 to server 2012 R2. At first, I used the export function from the Hyper-V in server 2008 R2 and I notice the export result was different from the server 2012 R2. Thus, when I try to import the VM from server 2008 R2 to server 2012 R2, it was unable to recognize.

Always make a backup copy! Don’t modify the original!

This is because 2008 or 2008 R2 are legacy servers, and choosing the export feature to export the VM will result of export EXP file instead of XML file. In server 2012 R2, VM that is exported has XML file.

The best way to import VM from legacy server is to copy the entire VM folder to server 2012 R2. When I mean entire VM folder, means its VHD and etc..

This VM that I am importing does not have any checkpoints or snapshot, so I am unsure that do you required to delete the copied snapshots before you import.

So what I did was,

  1. At server 2008 R2, shut down the VM
  2. Locate the entire Data folder of the VM in File Explorer
  3. Right click the folder > Properties > Share > Advanced Sharing > Add the specific user account (server 2012 R2) and the computer (server 2012 R2) > Full Control
    • Is up to your choice on how you want your destination server to retrieve the source information (VM), it could be via a Network Share, a USB, or an external Hard Disk
  4. At server 2012 R2, open file explorer
  5. At the top bar, type “\\<2008 R2 server name/IP address>\<vm folder name>\”
  6. Copy the entire folder and paste it into server 2012 R2 (your comfortably location/driver/directory)
  7. Remember to remove the share permission of the folder in server 2008 R2, after you finish copying the folder  from server 2008 R2 to server 2012 R2
  8. Create a new folder in server 2012 R2 and rename it as your actual/original VM’s folder naming in server 2008 R2, this folder will be the new location of your VM
  9. Go to Hyper-V in server 2012 R2 > select the Import Virtual Machine at the right side bar
  10. Browse and locate the VM folder that you just copied
  11. Select the import type “Copy the virtual machine“, this allows you to create a new unique ID of the virtual machine and also allows you to choose your new location to store this VM in sever 2012 R2
    • Capture
  12. Make sure the new location are browse to the new folder that you just created in server 2012 R2
  13. Then you click next > finish and wait for the importing to complete
  14. Make sure the VM in server 2008 R2 is Shut down
  15. Start or Boot up the VM in server 2012 R2 (If required to change IP address of the VM then change)
  16. Everything is fine and monitor for 48 hours, then only decide to remove the VM in server 2008 R2

 

After import the VM, Hyper-V do not start the VM automatically. You have to start the VM manually, after import completed.

Intune Autopilot: Troubleshoot RDP access prompt

So I am testing Autopilot in my lab environment, consist a Hyper-V with its Virtual Machines. Well I am doing a manual registration, so how do I export the device information that is required my VM to be register for Autopilot?

I already have a VM running Windows 10 Pro, and I ran this script to export and automatic import the device information to be register into autopilot. However, I wasn’t running the script before Out-of-the-box-experience (OOBE) happen, so to make Autopilot work on my VM, I had to reset my VM.

Once the VM has reset,  it ask for region, language of my keyboard and next it shows a welcome page with the Display name and the company name. So I key in the email address and password of the user and also setup the PIN. However, I just notice that I set this user with the Standard permission only. Thus, the administrator account is disabled and I keep getting the RDP permission error prompt due to the user account is not in the RDP group in the VM.

Example of the prompt;

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted the right manually.

050317_1039_Tosigninrem1

How I troubleshoot this;

  1. Is to run MMC as administrator > File > Add/Remove Snap-in
    • Capture
  2. Key in your Office 365 admin account (an account with permission that can manage device)
  3. Select Local Users and Groups > Add
    • Capture
  4. Select Local computer > Finish > Ok
  5. Expand the local users and groups > Users > Right click Administrator  > Uncheck Account is disabled
    • Capture
    • Capture
  6. Reset the local Administrator password too
  7. Select Groups > Right click on the remote desktop users > Add > Authenticated users > Ok
    • Capture
  8. Close MMC
  9. Sign out and Sign in again

 

These steps should help you from getting the prompt again.

Please take note that I am doing this in Lab environment. In production, by right not to enabled administrator account and not to do any changes to the local users and groups. 

Outlook: Why People Online Status is Grey Out?

Ever faced grey out present status in your outlook? You start to wonder was it the settings block from office 365, or is your firewall blocking, or is there registry configured?

If you have ask above questions and also checked that none above related then the next question you should ask yourself is “What Office 365 license I’m on?“. The answer is if you are not using any Office 365 enterprise license, or your Office installer is “Home and Business” you will not have the online status feature. Is a limitation based on type of license that you subscribed.

Hence, get consultation and get to understand about the licenses that you are going to purchase.

How to check?

Open your Outlook App > Click on File at top left

Capture01

Click on Options at the left side bar

Capture02

Click on People > Scroll down you will see this grey out

Capture

My Office Application are using ProPlus

Capture

OneDrive and Active Directory: Error Code 0x8004de40

First time experience such error and behaviour, so the situation is that this user has problem getting her OneDrive to work on her desktop, it was her first time setting it up and she receive the above error code after she sign in and authenticate her account.

Capture

Well from Azure AD, it will shows that her login activity for OneDrive is successful, but Azure AD doesn’t shows that her setup was failed. At first I suspect it could be network issue, tested another account it went through the setup successfully. Hence, running PowerShell (Msol), to query the user account information and perform comparison and everything was showing in good condition.

Another thing is that she can successfully use the web based on SharePoint Online and OneDrive online.

As I went through to the Exchange Admin center and notice her email addresses missing a type, that is the SPO. This type of email address is generated once the user is assigned with the Office 365 license with Sharepoint Online and OneDrive online features.

The only resolution to this is to recreate the account. 

  1. Backup mailboxes to PST and files to a local drive or external drive
    • There are many ways to backup
  2. Unassign the user license
  3. Go to Active Directory and disable the account and move it to a unsync Organization Unit
  4. Go to Azure AD Connect Server and perform the sync
  5. Go to Office 365 make sure that the account has been move to deleted users, well you could use PowerShell to query -ReturnDeletedUsers.
    • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers
    • Once it is found, then run the remove command, you can use GUI to remove them at the Azure portal “portal.azure.com”
      • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
  6. Go back to your Active Directory and recreate the user account, and make sure it is in the sync OU
  7. Run another sync at your Azure AD Connect Server
  8. Go to Office 365 > Active Users > Search for the user and assign the license

 

There are few reasons why this happen, for my case was the old Azure AD Connect server died or corrupted and had to re-provision a new one. Users are some still on Exchange on-premise and some are in cloud, due to budget. Sometime things happen.

Anyway, hope this helps!